MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145
SHA3-384 hash: 30a0bf2427b896da10a2e510669a96dbf308d0f2e721836d9fc71c77643ef8276afc2685e17c019e6174abe6f234750f
SHA1 hash: 7e0b819ba7163f7837a5fedb9d4f0cf28050a02b
MD5 hash: e61dffb557266167a4b9c244c8c8a699
humanhash: low-august-december-maine
File name:PO 181084.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:658'432 bytes
First seen:2020-07-20 09:07:15 UTC
Last seen:2020-07-22 11:15:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Cu3dK1q9I6/kldSCcSplYstzDyaod+ik4g8y3SoD:CuNKO/SvDzW2rEloD
Threatray 545 similar samples on MalwareBazaar
TLSH B3E4DFC89AA05404C6ED2FF99E628AB943347D09F5F2930F1FC0B98F297A793D854752
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: server.360degreeinfo.online
Sending IP: 162.144.150.204
From: Lisa Tan <sc01@inply.com>
Subject: RE: PO 181084
Attachment: PO 181084.arj (contains "PO 181084.exe")

AveMariaRAT C2:
158.69.115.206:5200

Intelligence

File Origin
# of uploads :
7
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28853/
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391168
Behaviour
Behavior Graph:
Download SVG
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 05:38:42 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eblt5kzxaf5nbrnng4ri7xgf4324mto5xmtv6uhojxgi3q6ugfcq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
032f594e26c4a20fc56b06210d294f7134f6c9a51cf30b7125db4683465a6643
AveMariaRAT
0698cbff335f16544c0a97a71df4f0e52ee4dbddf3cadad2ee0ac52103ea8ed2
AveMariaRAT
662e6858fb2067c38af99173b7a3201a148bd9104771badd96868bccc20ec687
AveMariaRAT
7ffbd591d72f33b826c40da82f5f72195ca4af6a311bb934862f3cd190d4fdad
AveMariaRAT
880bba3fa9d2e255ad00cc35d53aa361bcdf739d16064d669a4b21b9a8034f73
AveMariaRAT
9c33a1f6a337e39a99c4480f19e63fbaeee191defcd51c8a908e9af9da8e115c
AveMariaRAT
aed6c9d200b86186575d13e40ed7231c61bba34c0159c19ca6428168019da4f9
AveMariaRAT
c8d4a30dc6aa1224dd98bbb384b54e90ee845cbb0e0e591964868a0be5657897
AveMariaRAT
d4f9f7cd2d03cd2a1ede00200777caac9bd3ca5c337ce6bf6e15a3ff8e53f844
AveMariaRAT
ebd23b0402ce1f9f8d45a37ec77fc89381869a3399aa2d405830e7eb05299ad3
AveMariaRAT
+ 535 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-8ek1hsffjx/
Behaviour
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 1ec1bdf770161f455266bc10b97a1af6441b391995e96bf93492c102cd299d32

AveMariaRAT

Executable exe 20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145

(this sample)

  
Dropped by
MD5 25d1c40227a6d9c8f1396fbc09ba5d8a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28853/
  
Dropped by
SHA256 1ec1bdf770161f455266bc10b97a1af6441b391995e96bf93492c102cd299d32

Comments